cancel
Showing results for 
Search instead for 
Did you mean: 

HTTPS problem with Portal behind WebDispatcher

MDöllinger
Explorer
0 Kudos
688

Hi everyone,

I'm using a SAP WebDispatcher to provide access to an Enterprise Portal. The problem is, I have to use HTTPS and no HTTP at all. The HTTPS access to the WebDispatcher works fine. When I type the URL https://<mywebdispatcher>/sap/admin everything works as expected.

But when I try to access the portal by typing https://<mywebdispatcher>, I get instantly redirected to a non-HTTPS connection (http://<mywebdispatcher>/irj/portal). The parameter I use is:

icm/HTTP/redirect_0 PREFIX=/, TO=/irj

If I use:

icm/HTTP/redirect_0 PREFIX=/, TO=/irj/portal

the logon screen is still HTTPS but the next then again is not.

I can't dactivate the HTTP service of the WebDispatcher, because I get a "page not found" after the redirection.

I am able to switch between HTTP and HTTPS at any time, once I have logged in.

What else do I have to do or what did I forget?

Thanks in advance,

Michael

Accepted Solutions (0)

Answers (6)

Answers (6)

MDöllinger
Explorer
0 Kudos

Hi all,

to anybody who might be interested: it was the certificate of the J2EE engine which was invalid due to a system copy. We adjusted this certificate and everything worked fine. Thanks to everyone who tried to help.

Regards,

Michael

MDöllinger
Explorer
0 Kudos

Sorry for the late reply...

This didn't help either. Maybe I can get it to work the way I want by only allowing https and no http on my portal. Is that possible? If yes, how do I do it?

Regards,

Michael

former_member185954
Active Contributor
0 Kudos

Hi,

HTTP can be disabled by ensuring there is no entry icm/server_port_<xx> , with PROTS=HTTP

If you have a dual stack system, you may also want to remove any reference of HTTP in this parameter : icm/HTTP/j2ee_<xx>

Regards,

Siddhesh

tim_buchholz
Employee
Employee
0 Kudos

Dear Michael,

you need to specify the protocol that is to be used by the redirect. The documentation on icm/HTTP/redirect_<xx> states:

<i><b>The parameter has the following syntax:

icm/HTTP/redirect_<xx> = PREFIX=<URL prefix>[, FROM=<pattern for URL>, FROMPROT=<incoming protocol>, FOR=<pattern for host name:port>,TO=<new URL prefix>, PROT=<protocol>, HOST=<host>, PORT=<port number/name>]

<xx> must be specified in ascending order from 0.</b></i>

Try

icm/HTTP/redirect_0 PREFIX=/, TO=/irj, PROT=https

you can also use

icm/HTTP/redirect_0 PREFIX=/, TO=/irj, FROMPROT=http, PROT=https

to ensure that yll requests using HTTP will be redirected to HTTPS.

Best Regards,

Tim

MDöllinger
Explorer
0 Kudos

No success again, with wdisp/ssl_encrypt = 2 I still get the "certificate expired" error as stated in the tracefile above. I also think this is the wrong value anyway. If I understand correctly wdisp/ssl_encrypt = 2 would get me an encrypted connection between the webdispatcher and the portal server. What I need is an encrypted connection between the client (browser) and the webdispatcher. But when I enter the URL with HTTPS I get redirected to HTTP immediately.

Hope this made it clearer.

[edit]

Oh I forgot to mention I get a lot of

[Thr 6940] *** WARNING => redispatching of failed stateful request [http_route.c 3021]

in my tracefile. Could that also be a reason?

[/edit]

Regards,

Michael

MDöllinger
Explorer
0 Kudos

Thanks for the reply. I already read through this page, but didn't find anything that helps. The only thing I tried is to change the parameter wdisp/ssl_encrypt to 1 (was 0). Result: http still works fine, https doesn't work at all. In the tracefile I can see that the certificate for the ssl connection between WebDispatcher and WebAS in not valid anymore:

Tracefile:

[Thr 2212] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 2212] SSL socket: local=<WebDisp IP>:3509 peer=<WebAS IP>:58801

[Thr 2212] <<- ERROR: SapSSLSessionStart(sssl_hdl=00BF9F08)==SSSLERR_SSL_CONNECT

[Thr 2212] *** ERROR => IcmConnPoolConnect: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxpool.c 2077]

[Thr 2212] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 2212] session uses PSE file "<SECUDIR>\SAPSSLS.pse"

[Thr 2212] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 2212] >> -


Begin of Secude-SSL Errorstack -


>>

[Thr 2212] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=031002072500Z, notafter=051002072500Z, now=070119143315Z)

ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=031002072500Z, notafter=051002072500Z, now=070119143315Z)

[Thr 2212] << -


End of Secude-SSL Errorstack -


The certificate file SAPSSLS.pse is the same as for the https connection to the WebDispatcher and expires 2008. Where do the "notbefore" and "notafter" values come from?

Any suggestions?

Regards,

Michael

former_member185954
Active Contributor
0 Kudos

Hi Michael,

wdisp/ssl_encrypt = 2 with PROT=HTTP should work.

Regards,

Siddhesh

former_member185954
Active Contributor
0 Kudos